Cork had been audited in whole or in part by four different security firms. The project's funders include Andreessen Horowitz, OrangeDAO, and Steakhouse Financial, and Cork is a part of Andreessen Horowitz's Crypto Startup Accelerator.
Cork Protocol exploited for $12 million
Cork Protocol, a defi project aimed at "tokenizing the risk of depeg events for stablecoins and liquid (re)staking tokens", suffered a $12 million loss after an attacker exploited a bug in how the project's smart contract calculated exchange rates. The attacker stole around 3,762 wrapped staked ETH (wstETH), which they exchanged for ETH. The project announced that they were investigating the theft and had paused markets.
Cetus DEX exploited for $223 million; some funds "paused"
An attacker stole $223 million from the Sui-based Cetus Protocol. The project announced shortly after that $162 million of the funds had been frozen, leaving around $61 million unaccounted for.
This led some to question how decentralized the project truly is if the funds can be frozen in such a way.
Curve Finance website and Twitter account hacked
The website and Twitter accounts belonging to the Curve Finance defi projects were compromised in quick succession. On May 5, an attacker compromised the Twitter account belonging to the project, posting a scam in which they appeared to announce an airdrop.
Then, on May 12, the project posted a warning that the website for the Curve frontend was "hijacked" in an apparent domain takeover.
This is not the first such compromise for Curve, which suffered a frontend compromise in August 2022 that resulted in $620,000 in losses (later recovered with the help of some exchanges).
$330 million in Bitcoin apparently stolen; laundering spikes Monero price by over 40%
3,250 BTC (~$330 million) were apparently stolen from a bitcoin holder and then quickly moved through multiple exchanges and swapped for the Monero privacycoin. Such a massive swap into Monero was apparently enough to cause the Monero price to spike from around $230 to as high as around $330, before retracting somewhat.
Term Finance loses $1.65 million due to misconfiguration, recovers $1 million
The Ethereum-based lending project Term Finance lost $1.6 million when an oracle misconfiguration resulted in unintended liquidations. The team later announced that they had "successfully negotiated [the] return" of 333 ETH (~$600,000) that had been lost, and that another roughly 223 ETH (~$400,000) had been "captured internally", leaving the final loss at around 362 ETH (~$650,000).
Loopscale hacked for $5.8 million two weeks after launch
A new Solana-based defi protocol called Loopscale, backed by Coinbase Ventures and Solana Labs, suffered a $5.8 million exploit only two weeks after its launch. The stolen funds represented 12% of the protocol's TVL. The project blamed the exploit on a bug in the protocol's pricing calculations. Although the project had been audited in February by OShield, the audit evidently did not detect the flaw.
$5 million in tokens stolen from ZKsync
An attacker compromised an admin account belonging to the ZKsync Ethereum layer-2 project, which is built by Matter Labs. By doing so, they were able to steal approximately $5 million worth of the ZK token, which the project said were "the remaining unclaimed tokens from the ZKsync airdrop".
ZK Sync offered a 10% "bug bounty" to the thief, who accepted and returned 90% of the stolen funds.
KiloEx exploited for $7.5 million
KiloEx, a decentralized perpetual futures exchange, was exploited for $7.5 million. An attacker executed an oracle manipulation attack on KiloEx's pricing smart contracts to steal funds across the Base Ethereum layer-2 chain, BNB Chain, and Taiko.
KiloEx halted trading on the platform while investigating the exploit, and contacted the hacker to try to negotiate a 90% return of funds.
KiloEx later announced that the recovery had been successful, and that they would pay out the 10% "bounty".
zkLend thief gets robbed
The zkLend lending platform was hoping they could secure the return of stolen funds from the attacker who stole 3,667 ETH (~$9.5 million at the time) from the platform in mid-February. They offered a 10% "bounty" for the return of the funds, but received no reply — that is, until now.
On March 31, the attacker sent an on-chain message to the platform, writing: "Hello I tried to move funds to tornado but I used a phishing website and all the funds have been lost. I am devastated. I am terribly sorry for all the havoc and losses caused. All the 2930 eth have been taken by that site owners. I do not have coins. Please redirect your efforts towards those site owners to see if you can recover some of the money. I am sorry."
The zkLend project instructed the thief to return any remaining funds to their wallets, though no such transfer has happened yet.
There has been substantial conversation over whether the hacker had truly been in turn scammed out of the stolen funds, had made up a fake phishing site to try to obscure the path of stolen money, or perhaps whether the whole event had been an April Fools' joke. However, zkLend noted on Twitter that the phishing website, which imitates the Tornado Cash platform, has been operational for five years and is likely not connected to the hacker.
- On-chain messages between zkLend and thief
- Tweet by zkLend [archive]
Coinbase customer loses $35 million in bitcoin theft
A Coinbase customer reportedly lost 400 BTC (~$35 million) in a scam identified by blockchain sleuth zachxbt. While investigating the massive theft from the single customer, he also observed at least $11 million in thefts from various other Coinbase customers throughout March.
zachxbt has previously accused Coinbase of not doing enough to protect customers from hundreds of millions of dollars in scams, and he noted that in these cases, Coinbase had not marked the thief wallets as malicious in various cryptocurrency compliance tools.
- Telegram post by zachxbt [archive]